Business Intelligence and the New Normal of Data Security
•Download as PPTX, PDF•
0 likes•169 views
Data security trends and what you can do about them - for business intelligence and data warehouse professionals. Presentation given to the 2020 Business Intelligence Summit, Auckland, New Zealand.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Business Intelligence and the New Normal of Data Security
Similar to Business Intelligence and the New Normal of Data Security (20)
Recently uploaded
Recently uploaded (20)
Business Intelligence and the New Normal of Data Security
- 2. Your Data Is the Crown Jewels Crown by KotomiCreations
- 3. Cyber Incidents Are Like the Weather • 1000+ SEC filings mention ransomware • NZ Institute of Directors advise boards to discuss cybersecurity Storm by Javier ruiz
- 4. Trends
- 5. Phishing and More Phishing • Third of incidents involve phishing • 60,000 covid-19 phishing attacks per day
- 6. Business Email Compromise Photo by Karolina Grabowska from Pexels
- 7. A Tsunami of Ransomware Tsunami by Petra Bensted
- 8. Nation-state Hacking in the Headlines • Cozy Bear - hacks covid-19 research • Fancy Bear - hacks your election
- 9. What’s Special About BI?
- 10. What Should I Do?
- 11. Don’t Take a Siloed Approach Silos by Doc Searls
- 12. BI in the Cloud Photo by Aleksandar
- 13. Summary 1. Understand cybercrime 2. Know your assets and risks 3. Know who has access to what 4. Put basic protections in place 5. Have a plan
- 14. Questions
Editor's Notes
- Cyber security is more and more in the news, and since covid-19 even more so. That’s no coincidence. I want to talk to you about what I think everyone in business should know about cybersecurity and cybercrime, and specifically how this is relevant to the world that you live in: the world of business intelligence and data management.
- As your typical BI and data warehouse has all of your organisation’s business and operational data it really has every piece of valuable data in your organisation. So, if an attacker gains access to your data warehouse they have access to all your key data – the crown jewels of most organisations. So, it becomes a very attractive target, whether that is to steal, destroy or to ransom. As we move into the realm of big data and BI in the cloud, we can now put vastly more data into our BI platforms faster than ever before, and the more data they hold the more valuable they come, and the harder they become to control. So, in today’s climate of increasing cybercrime, of covid-19 influenced cybercrime what do you need to be aware of and what can you do about it?
- Cyber-attacks are part of the new normal. Cybersecurity incidents are becoming a normal part of business just like weather – like taking into account droughts if you work in agribusiness in Hawkes Bay, or like OSH. Just as OSH is not just something that HR departments have to worry about, cybersecurity is no longer just something that IT companies or IT teams should be concerned with – it’s something that every business and every manager should be concerned with. Don’t take my word for it. Businesses are saying this too: In the US, over 1000 Security commission filings mentioned ransomware as a key business risk. The NZ Institute of directors has recently recommended that cybersecurity should be a regular discussion at board meetings. You cannot overestimate the amount of this stuff that is going on. Every organisation that I have worked for recently is under constant attack. For example they are suffering from numerous email phishing attempts per day – and those are just the ones they know about.
- So, what are the trends that we are seeing that I think you should be aware of? What’s fashionable amongst cybercriminals today? The current cybercrime trends look like this: Lots and lots of phishing, business email compromise, ransomware and a little bit of what we call real hacking. Covid-19 has impacted on this picture in a couple of interesting ways. Let me explain.
- The vast proportion of cybercrime starts with phishing. Phishing is basically tricking someone into giving the criminal some important personal information such as their username and password or their credit card details and they do that by impersonating someone or something. The example we are most familiar with is when someone sends you an email purporting to be your bank, or Microsoft saying you have to sign into the website straight away to rectify some problem or mistake. You go to the website and it’s really the criminal’s website but it looks just like the real one - and when you sign in you have just given them your username and password for internet banking or your email account. According to Verizon, in 2019 roughly one third of all security breaches involved phishing. Phishing is all-pervasive at the moment. Our clients will catch several phishing attempts per day. And that’s just the ones they see. My last employer was seeing on average 1-2 people falling for phishing attempts each week. Covid-19 has impacted phishing in two important ways – we’ve seen a large number of covid-19 themed phishing attacks. Like with any crisis we see phishing react quickly and adapt their techniques and material to current events. Microsoft is seeing 60,000 Covid-19 phishing attempts per day. Additionally, attackers are turning their phishing against targets that have become attractive due to Covid-19. This includes organisations researching vaccines as well as the World Health Organisation. Phishing is partly on the rise because it is so easy. It requires almost no technical skill and you can buy a whole phishing kit including email templates, websites and more for only a few dollars in criminal marketplaces. Why should you care about phishing? Well imagine if one of your developers or analysts accidentally gave away their username and password. What data could an attacker look at with that? What damage could they do?
- Another significant area of cybercriminal activity is Business Email Compromise. BEC is basically getting into someone’s email account and then tricking their organisation into giving the crim money. There are a number of ways that criminals do this but let me tell you about one incident that I was involved with. At a former employer, a criminal gained access to someone’s email account through phishing. They looked through this person’s emails until they found a vendor who was working for us on an ongoing project. They then sent an invoice pretending to be this vendor but with a different bank account number. The invoice looked exactly like every other invoice they had sent, and it was for work that the vendor was doing – so it all looked totally legitimate to everyone involved. Finance paid the invoice – around $30,000 and then it was a couple of weeks before the mistake was found. This is a totally typical kind of BEC, and for around a typical amount of money.
- It’s clear that the world is facing a tidal wave of ransomware. If you have heard of a cybercrime recently, chances are that it was a case of ransomware. With ransomware, an attacker penetrates an organisation’s defences, and then encrypts their data and then offers to decrypt that data for a ransom payment – usually in a crypto-currency such as bitcoin. In 2017 ransomware gangs were demanding hundreds of dollars in ransoms. Today they are demanding 10s of millions. Originally these gangs just encrypted personal computers, now they are encrypting servers and corporate databases. They have also taken to adding an additional threat. If you don’t pay the ransom, then not only will you not get your data back, but they will publish the juiciest parts on the internet. The NZ government’s cyber response team has put out a bulletin warning of a concerted campaign of ransomware targeted against NZ businesses. Recently, we have seen Lion, Toll, Fisher and Paykel all having their business seriously disrupted for days due to ransomware. Beer deliveries were stopped because of Lion’s ransomware issues. Beer! The only greater threat to the NZ way of life would be if ransomware interfered with Rugby! And if you thought that was far-fetched, Premier League teams in the UK have already been victims of cybercrime, and the UK government has warned of systematic attacks on sports clubs. Overseas we’ve seen major companies seriously disrupted by ransomware including Maersk and just last week Garmin. For several days you couldn’t upload your Garmin watch data to their website. The impacts from the Maersk incident were slightly more severe – they couldn’t ship containers, and it cost them millions. So this can affect anyone, and it’s just growing. One of the big things that has changed with Covid-19 has been the massive growth in working from home. This has led to IT teams having to rapidly scale up their remote access and VPN solutions. And this has led to a lot of poorly configured and poorly secured VPNs and other devices that connect your organisation to the internet. This, along with several significant security bugs from all of the main VPN vendors has led to technically savvy attackers being able to exploit all of these new VPNs to gain access to corporate networks. And this has been one of the key ways that ransomware crews have been using to make their initial entry.
- Something that you may have read about in the news a lot recently is state-sponsored hacking. Is nation state activity on the rise? Or is it just getting more press at the moment? I’m not sure, but it certainly seems that we can’t ignore it. Cozy bear (part of the Russian foreign intelligence service) has been recently linked by the US, Canadian, Australian and UK intelligence services to the hacking of Covid-19 research. Fancy Bear (a part of the GRU, Russian military intelligence) has been linked to lots of election influence attempts and recently to mass hacking of power systems in the US. Recently we have seen Chinese government hacking in Australia of both government and commercial targets in response to Australia’s calling for inquiries into China’s handling of Covid-19. I used to sneer at worrying about state-sponsored activity in NZ, but recent events have made me change my mind. In particular spill-over from Australia’s more aggressive attitude to China in the Pacific. We’ve seen NZ companies with headquarters in Australia affected. For example, the Australian logistics company Toll had their NZ operations impacted by attacks in Australia. Covid-19 has changed the targets of nation-state hackers, but little else. So now they are hacking each other’s health researchers and the WHO and spreading disinformation about the origins of Covid-19.
- BI and data warehouses suffer from many of the same security concerns as other parts of enterprise IT. Traditional BI systems run on servers, which have operating systems, they run on database platforms, and there are specific applications and tools and these all need securing the same way as other things in your organisation. There are some concerns that are specific to BI and Data warehouses. In my opinion the biggest specific problem is how to make sure that people can see the data they need, and not see things they shouldn’t. Especially when we are talking about all of the data your organisation holds. When you have all sorts of data in your data warehouse – some of it personal, some of it sensitive - and that data is available through your business intelligence tools, you need to be able to make sure that only the right people get to see specific data. This gets even trickier when we start talking about self-service approaches to business intelligence. You need to make sure that if you are giving a self-service option to someone, that you don’t give them access to the underlying data if they shouldn’t see it. When I implemented business intelligence at the Pacific Community, for HR and payroll data, there was some significant data that we didn’t want just anyone to see. Firstly, we gave access to everyone to see aggregate reporting – for example dashboards on average and total leave amounts by business unit. But we only allowed the HR team to see the underlying data. They could already see this stuff on the HR system directly, so there was no issue giving them access to it in the data warehouse. However, we could have looked at this in more detail and given more general access to people in other teams, if we could obscure key details such as salary. There are several different technical ways of doing this but they all require you to understand who your user is. Giving open slather access to databases doesn’t cut it. Think of how much harder this gets when we are using big data techniques for capturing and analysing unstructured data such as web logs, chat histories, tweets or the like. It is much harder to control access to a part of a file, than to a specific column in a structured dataset in a traditional SQL database. Again, the same principle applies even if the implementation is harder. If you can understand what data is in the files, what the value and sensitivity of it is and understand who needs access to it for what purpose, you can design methods for controlling that access.
- Well the first thing is: Don’t Panic! Luckily most breaches could have been easily prevented by basic security measures. The Australian Cyber Security Centre says that most of the recent attacks by China would have been prevented with 2 simple techniques: updating software and multi-factor authentication. But the first, and simplest thing I’d suggest you do is talk to your security team. No-one comes and talks to them voluntarily, so they’ll love it! Find out what they do for you, what they don’t do. You will probably find out something useful and having the security team onside can be really useful if something does go wrong. The next key thing I recommend you do is understand what data you have and understand the business risks that you are exposed to. What happens if you lose that data, what happens if an unauthorised person sees that data, what happens if it is tampered with, what happens if it’s put on the internet and what are the chances that these things will really happen? Technical controls are great, but make sure you put your effort on securing what’s important, and the only way to do this is to understand what the real risks are. For me this is one of the areas where talking about BI is interesting, because of the amount and breadth of the data that is held in these systems the risks are correspondingly higher. Beyond that higher level view, there are a few simple technical things you can do to improve your security. Swiftly updating software for security bugs is the number one thing your organisation should be doing. The vast proportion of cybercrime that you see reported in the paper only works on systems that haven’t been updated. The FBI recently indicted two Chinese state-sponsored hackers and the documentation showed that most of the things that they did relied on systems that hadn’t been updated. So make sure that your organisation is regularly updating and has a good process around what they do when they receive notification of a critical security vulnerability. Anti-virus software is a must of course. Everyone here uses an internet banking, right? Most bank’s for their internet banking require that they send you a one time password by SMS to your mobile phone. In the industry we call that multi-factor authentication of “MFA” because the code in the SMS is another factor alongside the first factor of your password. There are lots of ways to deliver multi-factor, many of them lots easier than receiving an SMS. The big thing about MFA is that it defeats most phishing attempts, because even if they have your username and password they still can’t get in because they don’t have that other factor. Multi-factor authentication should be standard for anyone in your organisation who has any sort of powerful access. At Axenic we use multifactor for all of our access – to protect our client’s important data, and it’s really easy to use. Most IT systems these days write every important event to a log – think of it like the list of phone calls on your phone bill or the list of transactions on your bank statement. Making sure that all of your systems are logging important events and putting those logs in a central place and keeping them for a decent amount of time greatly helps detecting when you have had an incident and also greatly helps the clean-up activity, because you know what has happened and when. Make sure your team understands about phishing and what to do if they get phished.
- These days attackers are not just finding a hole and stealing the first thing they see. More sophisticated hackers find a weak point, gain entry, and then they explore your network, looking for the most valuable information. They seek out other systems and check them for further vulnerabilities. Once they have done this, then they strike. Ransomware crews will look for the most critical information, the stuff that they can know will be the hardest for you to bear losing, and then encrypt and ransom that. This ensures that you will pay the ransom quickly, and it’s the data that they can ask the most money for. So you need to not just secure the BI and Data platforms, you need to be sure that the rest of the organisation is secure, and that your platform will still be secure even if the rest of the organisation has been compromised. In practice this means you can’t take a siloed view of your BI security. You may have done a great job of securing your assets from the outside world, you might have done a great job of training and securing your staff, but a weak link outside your department can just as easily lead to a breach for you. As well as this approach from attackers, the thing that Axenic sees often in our customers that concerns us the most is these systemic issues. We quite often see business units or projects address their risks well. We see them taking care of the things that are in their scope or remit and designing and implementing defences that are within their scope. But, what concerns us, is that they miss those issues, risks, and defences that range across the whole organisation. These are the risks that impact the whole organisation, or that aren’t specific to this system or project. These are the defences that require coordination or investment across the organisation to implement. These are the problems that arise somewhere else, but may impact this part, or, the problems that may arise here but only affect another part of the organisation. So make sure that you ask what’s happening outside your department. And ask if there is a method for managing these systemic issues. Some coordinated effort here can make lots of difference. Finally, ask if your assets are secured against intruders from inside your network. These precautions are often not take, but A few simple things can again make all the difference here.
- Many of you have already made the shift to doing BI in the cloud, and many of you will be considering the move. I’m currently working with TEC to help them shift their BI to the cloud. And there are so many good reasons to do so. Many of the coolest stuff is only available in cloud offerings – artificial intelligence and machine learning technologies are easily available in the cloud, but harder or impossible to deliver in your own data centre for example. Add to that the ability to easily scale and freedom from having to manage all of that stuff and the cloud looks compelling if you are in the data business. As a general rule I think that cloud delivers better security. The important qualification is that I’m talking here about the traditional large scale enterprise cloud vendors, AWS, Microsoft, Google, Rackspace. You can benefit from ISO27000 certified operations and technology – certainly significantly better security than your internal teams can deliver. I was talking to a SaaS vendor the other day – not a large one, and they described how they had an engineer whose only job it was to look at a feed of notices about important updates, to analyse those updates, and then automatically push them out to all their customers. That is a level of security in the patch management space that most NZ companies would find hard to match. And that’s just a small SaaS vendor. The big guys like AWS, Microsoft and Amazon operate at a scale that is almost unimaginable. So they’ll radically improve your security. However, they aren’t the solution to all your problems, and they do introduce some of their own! One thing that has been in the security press a lot recently is the issue of cloud data storage left on the internet with the front door unlocked so to speak. Anyone can then look at all of the data in that storage, and this keeps happening. The most amusing recent examples were from a dating site for swingers and from a group of cybercriminals. While I’m helping TEC move their BI and datawarehouse into the cloud, the key things that I am looking at from a security point of view are: Making sure that only authorised users get to access data and BI services, by careful management of users, their permissions and authentication. Securing cloud data stores, making sure that access to them is controlled and that they are not just open to the internet. Securing the connections between the things that we still have on-premise and our new cloud capabilities.
- Cybersecurity is just another risk to your business. You should understand it, like you understand other areas of risk. And while some of it is tricky and scary, a bit of common sense and some straight-forward measures will allow you to address the worst of it. In summary – here is my advice: You should understand cybercrime – just like you should understand OSH. Know what your data and information assets are, and what the key risks to them are. You should know who has access to what, and who needs access to what. Make sure your basic protections are in place – updating software. Anti-virus, multi-factor authentication, logging and making sure your team understand what phishing is. Have a plan for when you have a cyber-incident – as you inevitably will.